CVE-2017-15055

8.1 HIGH
Published: November 27, 2017 Modified: May 13, 2026
View on NVD

Description

TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the "item_id" parameter when invoking "copy_item" on items.queries.php.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://blog.amossys.fr/teampass-multiple-cve-01.html
Source: cve@mitre.org
Exploit Technical Description Third Party Advisory
https://github.com/nilsteampassnet/TeamPass/commit/5f16f6bb132138ee04eb1e0debf2bdc7d7b7a15f
Source: cve@mitre.org
Patch
http://blog.amossys.fr/teampass-multiple-cve-01.html
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Technical Description Third Party Advisory
https://github.com/nilsteampassnet/TeamPass/commit/5f16f6bb132138ee04eb1e0debf2bdc7d7b7a15f
Source: af854a3a-2127-422b-91ae-364da2661108
Patch

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.3%
57th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-269

Affected Vendors

teampass

Related CVEs

CVE-2026-1291 4.3
CVE-2026-11624 N/A
CVE-2026-9629 6.4
CVE-2026-3297 6.4
CVE-2026-2470 4.3